Windows Libraries
W2. Windows Libraries
W2.1 Description
Windows libraries are modules that contain functions and data that can be used by other modules such as Windows applications. Windows applications typically leverage a large number of these libraries often packaged as dynamic-link library (DLL) files to carry out their functions. These libraries usually have the file extension DLL or OCX (for libraries containing ActiveX controls).
DLLs provide a way to modularize applications so that their functionality can be updated and reused easily. DLLs also help to reduce memory overhead when several applications use the same functionality at the same time. These libraries are used for many common tasks such as HTML parsing, image format decoding and protocol decoding. Local as well as remotely accessible applications use these libraries. Thus, a critical vulnerability in a library usually impacts a range of applications from Microsoft and third-party vendors that rely on that library. Often the exploitation is possible via multiple attack vectors. For instance, the flaws in image processing libraries can be exploited via Internet Explorer, Office and image viewers. In most cases, the libraries are used by all flavors of Windows operating systems, which increase the number of systems available for attacks.
During the past year, several windows libraries were reported to have critical vulnerabilities. In a number of cases, exploit codes were discovered before patches were available (zero-day).
In December 2005, a vulnerability (CVE-2005-4560) was reported in the Graphics Rendering Engine: when handling specially crafted Windows Metafile (WMF) images, it could cause arbitrary code to be executed. Several malicious exploits and malwares were discovered spreading widely over the Internet soon after the discovery. As this vulnerability can be exploited by simply viewing a malicious WMF image file (through websites or attachments), many applications were reported to be affected. Even some of the Lotus Notes versions were reported to be affected by this WMF zero-day exploit. A patch was not available until early January 2006. Details of this vulnerability and exploits can be found at: http://isc.sans.org/diary.php?storyid=993.
As vulnerabilities in Windows libraries can be exploited in multiple vectors, in many cases a remote attacker will just need to persuade a user to access a specially crafted website, image, icon, or cursor file and the attacker would be able to execute arbitrary code on that user's system, with their privileges.
The critical libraries affected during past year include:
W2. Windows Libraries
W2.1 Description
Windows libraries are modules that contain functions and data that can be used by other modules such as Windows applications. Windows applications typically leverage a large number of these libraries often packaged as dynamic-link library (DLL) files to carry out their functions. These libraries usually have the file extension DLL or OCX (for libraries containing ActiveX controls).
DLLs provide a way to modularize applications so that their functionality can be updated and reused easily. DLLs also help to reduce memory overhead when several applications use the same functionality at the same time. These libraries are used for many common tasks such as HTML parsing, image format decoding and protocol decoding. Local as well as remotely accessible applications use these libraries. Thus, a critical vulnerability in a library usually impacts a range of applications from Microsoft and third-party vendors that rely on that library. Often the exploitation is possible via multiple attack vectors. For instance, the flaws in image processing libraries can be exploited via Internet Explorer, Office and image viewers. In most cases, the libraries are used by all flavors of Windows operating systems, which increase the number of systems available for attacks.
During the past year, several windows libraries were reported to have critical vulnerabilities. In a number of cases, exploit codes were discovered before patches were available (zero-day).
In December 2005, a vulnerability (CVE-2005-4560) was reported in the Graphics Rendering Engine: when handling specially crafted Windows Metafile (WMF) images, it could cause arbitrary code to be executed. Several malicious exploits and malwares were discovered spreading widely over the Internet soon after the discovery. As this vulnerability can be exploited by simply viewing a malicious WMF image file (through websites or attachments), many applications were reported to be affected. Even some of the Lotus Notes versions were reported to be affected by this WMF zero-day exploit. A patch was not available until early January 2006. Details of this vulnerability and exploits can be found at: http://isc.sans.org/diary.php?storyid=993.
As vulnerabilities in Windows libraries can be exploited in multiple vectors, in many cases a remote attacker will just need to persuade a user to access a specially crafted website, image, icon, or cursor file and the attacker would be able to execute arbitrary code on that user's system, with their privileges.
The critical libraries affected during past year include:
- Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (MS06-050)
- Vulnerability in HTML Help Could Allow Remote Code Execution (MS06-046)
- Vulnerability in Microsoft Windows Could Allow Remote Code Execution (MS06-043)
- Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (MS06-002)
W2.2. Operating Systems Affected
Windows NT, Windows 2000, Windows XP, Windows 2003
W2.3. CVE Entries
CVE-2005-4560, CVE-2006-0010, CVE-2006-0012, CVE-2006-2376, CVE-2006-2766, CVE-2006-3086, CVE-2006-3357, CVE-2006-3438, CVE-2006-3730, CVE-2006-4868
W2.4. How to Determine If You Are at Risk
- Use any vulnerability scanner to check whether your systems are patched against these vulnerabilities. You can also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.
- You can also verify the presence of a patch by checking the registry key mentioned in the Registry Key Verification section of the corresponding security advisory. Additionally, it is advisable to also make sure the updated file versions mentioned in the advisory are installed on the system.
W2.5. How to Protect against These Vulnerabilities
- Ensure that your Windows systems have all the latest security patches installed.
- Block the ports 135-139/tcp, 445/tcp and other ports used by Windows systems at the network perimeter. This prevents a remote attacker from exploiting the vulnerabilities via shared file systems.
- Use TCP/IP Filtering available in Windows 2000 and XP, Windows Firewall in Windows XP systems or any third party personal firewall to block inbound access to the affected ports. It is important that the firewall is properly configured to block against external attacks effectively.
- Intrusion Prevention/Detection Systems as well as anti-virus and malware detection software are very helpful in providing additional protection from malware and exploits that are exploiting these vulnerabilities.
- If you are running third-party applications on customized Windows 2000/XP platforms, ensure that an appropriate patch from the vendor has been applied.
- Follow the principle of "Least Privilege" to limit worms and Trojans from getting a foothold on any systems. Further details about limiting access to certain registry keys, executables and directories are available in the NSA guides at http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1.
- Use system hardening guidelines (such as those from CISecurity ) to make systems more resistant to remote and local attacks.
- Keep up-to-date on Microsoft security news and patches (http://www.microsoft.com/security/default.mspx ).
- Due to the large number of attack vectors, be vigilant when receiving email attachment from unsolicited emails and surfing to unknown websites. Do not click on unsolicited links received in emails, instant messages, web forums, or internet relay chat (IRC) channels.
- Windows NT is no longer supported. Users should upgrade to Windows XP/2003.
W2.6. References
Vulnerability in Windows Explorer Could Allow Remote Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-050.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-015.mspx
Vulnerability in HTML Help Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-046.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-026.asp
http://www.microsoft.com/technet/security/bulletin/MS05-001.asp
Vulnerability in Microsoft Windows Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-043.asp
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-026.asp
http://www.microsoft.com/technet/security/bulletin/MS06-001.asp
http://www.microsoft.com/technet/security/bulletin/MS05-053.asp
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-002.asp
- Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (MS06-050)
- Vulnerability in HTML Help Could Allow Remote Code Execution (MS06-046)
- Vulnerability in Microsoft Windows Could Allow Remote Code Execution (MS06-043)
- Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (MS06-002)
W2.2. Operating Systems Affected
Windows NT, Windows 2000, Windows XP, Windows 2003
W2.3. CVE Entries
CVE-2005-4560, CVE-2006-0010, CVE-2006-0012, CVE-2006-2376, CVE-2006-2766, CVE-2006-3086, CVE-2006-3357, CVE-2006-3438, CVE-2006-3730, CVE-2006-4868
W2.4. How to Determine If You Are at Risk
- Use any vulnerability scanner to check whether your systems are patched against these vulnerabilities. You can also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.
- You can also verify the presence of a patch by checking the registry key mentioned in the Registry Key Verification section of the corresponding security advisory. Additionally, it is advisable to also make sure the updated file versions mentioned in the advisory are installed on the system.
W2.5. How to Protect against These Vulnerabilities
- Ensure that your Windows systems have all the latest security patches installed.
- Block the ports 135-139/tcp, 445/tcp and other ports used by Windows systems at the network perimeter. This prevents a remote attacker from exploiting the vulnerabilities via shared file systems.
- Use TCP/IP Filtering available in Windows 2000 and XP, Windows Firewall in Windows XP systems or any third party personal firewall to block inbound access to the affected ports. It is important that the firewall is properly configured to block against external attacks effectively.
- Intrusion Prevention/Detection Systems as well as anti-virus and malware detection software are very helpful in providing additional protection from malware and exploits that are exploiting these vulnerabilities.
- If you are running third-party applications on customized Windows 2000/XP platforms, ensure that an appropriate patch from the vendor has been applied.
- Follow the principle of "Least Privilege" to limit worms and Trojans from getting a foothold on any systems. Further details about limiting access to certain registry keys, executables and directories are available in the NSA guides at http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1.
- Use system hardening guidelines (such as those from CISecurity ) to make systems more resistant to remote and local attacks.
- Keep up-to-date on Microsoft security news and patches (http://www.microsoft.com/security/default.mspx ).
- Due to the large number of attack vectors, be vigilant when receiving email attachment from unsolicited emails and surfing to unknown websites. Do not click on unsolicited links received in emails, instant messages, web forums, or internet relay chat (IRC) channels.
- Windows NT is no longer supported. Users should upgrade to Windows XP/2003.
W2.6. References
Vulnerability in Windows Explorer Could Allow Remote Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-050.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-015.mspx
Vulnerability in HTML Help Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS06-046.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-026.asp
http://www.microsoft.com/technet/security/bulletin/MS05-001.asp
Vulnerability in Microsoft Windows Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-043.asp
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-026.asp
http://www.microsoft.com/technet/security/bulletin/MS06-001.asp
http://www.microsoft.com/technet/security/bulletin/MS05-053.asp
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS06-002.asp
